Overview

overview

10

Static

static

b57f46aae5...PDF.js

windows7-x64

10

b57f46aae5...PDF.js

windows10-2004-x64

10

Analysis

  • max time kernel
    189s
  • max time network
    195s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-12-2022 08:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b57f46aae59e5b141af36a0e5598cb7b.PDF.js

  • Size

    856KB

  • MD5

    b57f46aae59e5b141af36a0e5598cb7b

  • SHA1

    d7c37a169fd2399d44b6330d8c459f5edd0151dd

  • SHA256

    15c52aa78fef0b66472f35c92e2778fcc726762e4f648ea8b027074f4d13fe46

  • SHA512

    040321fa3f3db208587af428bcc2643e36b941eaaea788c86c1e380168b35790c735cc09bbe29305feb1612bd9673e239007a728a7aa388427a7fa34235eb6f1

  • SSDEEP

    12288:5F+J0rvOJnnLrRoIalxPZu2o0iZTbSX7/QCFxweyve:+JGrhu5qVGve

Score
10/10
remcosvjw0rmremotehostcollectionevasionpersistenceratspywarestealertrojanworm

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

84.21.172.33:5763

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    uac.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    true

  • hide_keylog_file

    false

  • install_flag

    true

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-AG7QM3

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • NirSoft MailPassView 2 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 4 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 8 IoCs
  • Blocklisted process makes network request 5 IoCs
  • Executes dropped EXE 8 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook accounts 1 TTPs 2 IoCs
    collection
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Suspicious use of SetThreadContext 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Modifies registry key 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\b57f46aae59e5b141af36a0e5598cb7b.PDF.js
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1560
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\DkBSYEKIrV.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      PID:1528
    • C:\Users\Admin\AppData\Roaming\remcos_a.exe
      "C:\Users\Admin\AppData\Roaming\remcos_a.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Adds Run key to start application
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:608
      • C:\Windows\SysWOW64\cmd.exe
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1056
        • C:\Windows\SysWOW64\reg.exe
          C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
          4⤵
          • UAC bypass
          • Modifies registry key
          PID:3396
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vchbvrviktjtj.vbs"
        3⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:3708
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c "C:\ProgramData\Remcos\uac.exe"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4116
          • C:\ProgramData\Remcos\uac.exe
            C:\ProgramData\Remcos\uac.exe
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of SetThreadContext
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of WriteProcessMemory
            PID:4052
            • C:\Windows\SysWOW64\cmd.exe
              /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:4832
              • C:\Windows\SysWOW64\reg.exe
                C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
                7⤵
                • UAC bypass
                • Modifies registry key
                PID:2084
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              6⤵
                PID:624
              • C:\ProgramData\Remcos\uac.exe
                C:\ProgramData\Remcos\uac.exe /stext "C:\Users\Admin\AppData\Local\Temp\pbugfkaucahtniktxypjoljsphonsmch"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                PID:2260
              • C:\ProgramData\Remcos\uac.exe
                C:\ProgramData\Remcos\uac.exe /stext "C:\Users\Admin\AppData\Local\Temp\svir"
                6⤵
                • Executes dropped EXE
                • Accesses Microsoft Outlook accounts
                PID:4512
              • C:\ProgramData\Remcos\uac.exe
                C:\ProgramData\Remcos\uac.exe /stext "C:\Users\Admin\AppData\Local\Temp\cxnjgvw"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:4332
              • C:\ProgramData\Remcos\uac.exe
                C:\ProgramData\Remcos\uac.exe /stext "C:\Users\Admin\AppData\Local\Temp\hgotdmbvouojwkmtirxzcjwismdrnz"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                PID:1108
              • C:\ProgramData\Remcos\uac.exe
                C:\ProgramData\Remcos\uac.exe /stext "C:\Users\Admin\AppData\Local\Temp\jaueefmwccgnzybxrbjafwrztavagjlej"
                6⤵
                • Executes dropped EXE
                • Accesses Microsoft Outlook accounts
                PID:2184
              • C:\ProgramData\Remcos\uac.exe
                C:\ProgramData\Remcos\uac.exe /stext "C:\Users\Admin\AppData\Local\Temp\udzwxx"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:732

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Bypass User Account Control

    1
    T1088

    Defense Evasion

    Bypass User Account Control

    1
    T1088

    Disabling Security Tools

    1
    T1089

    Modify Registry

    3
    T1112

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Email Collection

    1
    T1114

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Remcos\uac.exe
      Filesize

      470KB

      MD5

      d7eda792cc905481af5f73aa23dcfbcb

      SHA1

      24bacf412ca6befbaf27703019ab3aafa0e52596

      SHA256

      da59632417e4b72af2be17400c9f5cbbc8207542de1781ab5f69657d2c85f108

      SHA512

      0891b69a550e5a8daf48be8c2eb2e47eac092e564d696d8fb83103ee2c4efa358c9069ac22635d971f4e23fa3f3dab33ff261fd14bfe9ed9ad83f4c2588f56da

      Download Submit
    • C:\ProgramData\Remcos\uac.exe
      Filesize

      470KB

      MD5

      d7eda792cc905481af5f73aa23dcfbcb

      SHA1

      24bacf412ca6befbaf27703019ab3aafa0e52596

      SHA256

      da59632417e4b72af2be17400c9f5cbbc8207542de1781ab5f69657d2c85f108

      SHA512

      0891b69a550e5a8daf48be8c2eb2e47eac092e564d696d8fb83103ee2c4efa358c9069ac22635d971f4e23fa3f3dab33ff261fd14bfe9ed9ad83f4c2588f56da

      Download Submit
    • C:\ProgramData\Remcos\uac.exe
      Filesize

      470KB

      MD5

      d7eda792cc905481af5f73aa23dcfbcb

      SHA1

      24bacf412ca6befbaf27703019ab3aafa0e52596

      SHA256

      da59632417e4b72af2be17400c9f5cbbc8207542de1781ab5f69657d2c85f108

      SHA512

      0891b69a550e5a8daf48be8c2eb2e47eac092e564d696d8fb83103ee2c4efa358c9069ac22635d971f4e23fa3f3dab33ff261fd14bfe9ed9ad83f4c2588f56da

      Download Submit
    • C:\ProgramData\Remcos\uac.exe
      Filesize

      470KB

      MD5

      d7eda792cc905481af5f73aa23dcfbcb

      SHA1

      24bacf412ca6befbaf27703019ab3aafa0e52596

      SHA256

      da59632417e4b72af2be17400c9f5cbbc8207542de1781ab5f69657d2c85f108

      SHA512

      0891b69a550e5a8daf48be8c2eb2e47eac092e564d696d8fb83103ee2c4efa358c9069ac22635d971f4e23fa3f3dab33ff261fd14bfe9ed9ad83f4c2588f56da

      Download Submit
    • C:\ProgramData\Remcos\uac.exe
      Filesize

      470KB

      MD5

      d7eda792cc905481af5f73aa23dcfbcb

      SHA1

      24bacf412ca6befbaf27703019ab3aafa0e52596

      SHA256

      da59632417e4b72af2be17400c9f5cbbc8207542de1781ab5f69657d2c85f108

      SHA512

      0891b69a550e5a8daf48be8c2eb2e47eac092e564d696d8fb83103ee2c4efa358c9069ac22635d971f4e23fa3f3dab33ff261fd14bfe9ed9ad83f4c2588f56da

      Download Submit
    • C:\ProgramData\Remcos\uac.exe
      Filesize

      470KB

      MD5

      d7eda792cc905481af5f73aa23dcfbcb

      SHA1

      24bacf412ca6befbaf27703019ab3aafa0e52596

      SHA256

      da59632417e4b72af2be17400c9f5cbbc8207542de1781ab5f69657d2c85f108

      SHA512

      0891b69a550e5a8daf48be8c2eb2e47eac092e564d696d8fb83103ee2c4efa358c9069ac22635d971f4e23fa3f3dab33ff261fd14bfe9ed9ad83f4c2588f56da

      Download Submit
    • C:\ProgramData\Remcos\uac.exe
      Filesize

      470KB

      MD5

      d7eda792cc905481af5f73aa23dcfbcb

      SHA1

      24bacf412ca6befbaf27703019ab3aafa0e52596

      SHA256

      da59632417e4b72af2be17400c9f5cbbc8207542de1781ab5f69657d2c85f108

      SHA512

      0891b69a550e5a8daf48be8c2eb2e47eac092e564d696d8fb83103ee2c4efa358c9069ac22635d971f4e23fa3f3dab33ff261fd14bfe9ed9ad83f4c2588f56da

      Download Submit
    • C:\ProgramData\Remcos\uac.exe
      Filesize

      470KB

      MD5

      d7eda792cc905481af5f73aa23dcfbcb

      SHA1

      24bacf412ca6befbaf27703019ab3aafa0e52596

      SHA256

      da59632417e4b72af2be17400c9f5cbbc8207542de1781ab5f69657d2c85f108

      SHA512

      0891b69a550e5a8daf48be8c2eb2e47eac092e564d696d8fb83103ee2c4efa358c9069ac22635d971f4e23fa3f3dab33ff261fd14bfe9ed9ad83f4c2588f56da

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\hgotdmbvouojwkmtirxzcjwismdrnz
      Filesize

      4KB

      MD5

      52211867093eff778e3dc3df6d9c4134

      SHA1

      28a3a9f8b1120ebb1a0f9bd1dd50325260376c61

      SHA256

      4a636cc2c0d4458af6252981600557e0cd4cd52f55bae619532d4b3410457d8c

      SHA512

      b940818d2a90226f7b46f269f1d9828a9c7a0c543ae68f5dca18f8d2f1d1a7ea3808a573970c9bf3348a9215a81f5b889f3af0823b65e82ef345a9eefdde924a

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\vchbvrviktjtj.vbs
      Filesize

      380B

      MD5

      7b8772bb10bd0b5381f26c961f6d2768

      SHA1

      ad8bdcb8251394e87f5599abdb0bc2334f65eb12

      SHA256

      0bb9b2e1d903edf86f15874531f3ceea186e953ab8f8489ecd601fd7eac5b457

      SHA512

      bff73e04eb175c741a733c48a3bb38821d26d470e9b25ee0c18b1b7d0ccf850d57a9cee94843016c78e17f6859ca86dd6b4ea59296ed7b0022d7cf915a743a75

      Download Submit
    • C:\Users\Admin\AppData\Roaming\DkBSYEKIrV.js
      Filesize

      7KB

      MD5

      de6279ecda86cb1c9dea290f11778fed

      SHA1

      510eeb73129bf63873ed19fd07955e2e8cb3e83d

      SHA256

      a99dbe1f52517b26087512d54d1f849c0216f14ab9f3c618c437546118dd1373

      SHA512

      f3434f9b38f0d2b9a52aa160698aec75d03f3bd92263a06636098561e0b5f310191bca760338a0640a280893488f781cb2df80f52b9a6f3a631dd2c4fcecff73

      Download Submit
    • C:\Users\Admin\AppData\Roaming\remcos_a.exe
      Filesize

      470KB

      MD5

      d7eda792cc905481af5f73aa23dcfbcb

      SHA1

      24bacf412ca6befbaf27703019ab3aafa0e52596

      SHA256

      da59632417e4b72af2be17400c9f5cbbc8207542de1781ab5f69657d2c85f108

      SHA512

      0891b69a550e5a8daf48be8c2eb2e47eac092e564d696d8fb83103ee2c4efa358c9069ac22635d971f4e23fa3f3dab33ff261fd14bfe9ed9ad83f4c2588f56da

      Download Submit
    • C:\Users\Admin\AppData\Roaming\remcos_a.exe
      Filesize

      470KB

      MD5

      d7eda792cc905481af5f73aa23dcfbcb

      SHA1

      24bacf412ca6befbaf27703019ab3aafa0e52596

      SHA256

      da59632417e4b72af2be17400c9f5cbbc8207542de1781ab5f69657d2c85f108

      SHA512

      0891b69a550e5a8daf48be8c2eb2e47eac092e564d696d8fb83103ee2c4efa358c9069ac22635d971f4e23fa3f3dab33ff261fd14bfe9ed9ad83f4c2588f56da

      Download Submit
    • memory/608-134-0x0000000000000000-mapping.dmp
      Download
    • memory/624-148-0x0000000000A30000-0x0000000000AAF000-memory.dmp
      Filesize

      508KB

      Download
    • memory/624-146-0x0000000000000000-mapping.dmp
      Download
    • memory/732-166-0x0000000000000000-mapping.dmp
      Download
    • memory/732-169-0x0000000000400000-0x0000000000424000-memory.dmp
      Filesize

      144KB

      Download
    • memory/1056-137-0x0000000000000000-mapping.dmp
      Download
    • memory/1108-162-0x0000000000000000-mapping.dmp
      Download
    • memory/1108-170-0x0000000000400000-0x0000000000478000-memory.dmp
      Filesize

      480KB

      Download
    • memory/1108-172-0x0000000000400000-0x0000000000478000-memory.dmp
      Filesize

      480KB

      Download
    • memory/1528-132-0x0000000000000000-mapping.dmp
      Download
    • memory/2084-147-0x0000000000000000-mapping.dmp
      Download
    • memory/2184-164-0x0000000000000000-mapping.dmp
      Download
    • memory/2184-168-0x0000000000400000-0x0000000000457000-memory.dmp
      Filesize

      348KB

      Download
    • memory/2260-155-0x0000000000400000-0x0000000000478000-memory.dmp
      Filesize

      480KB

      Download
    • memory/2260-160-0x0000000000400000-0x0000000000478000-memory.dmp
      Filesize

      480KB

      Download
    • memory/2260-161-0x0000000000400000-0x0000000000478000-memory.dmp
      Filesize

      480KB

      Download
    • memory/2260-149-0x0000000000000000-mapping.dmp
      Download
    • memory/3396-138-0x0000000000000000-mapping.dmp
      Download
    • memory/3708-139-0x0000000000000000-mapping.dmp
      Download
    • memory/4052-142-0x0000000000000000-mapping.dmp
      Download
    • memory/4116-141-0x0000000000000000-mapping.dmp
      Download
    • memory/4332-158-0x0000000000400000-0x0000000000424000-memory.dmp
      Filesize

      144KB

      Download
    • memory/4332-157-0x0000000000400000-0x0000000000424000-memory.dmp
      Filesize

      144KB

      Download
    • memory/4332-153-0x0000000000000000-mapping.dmp
      Download
    • memory/4512-159-0x0000000000400000-0x0000000000457000-memory.dmp
      Filesize

      348KB

      Download
    • memory/4512-156-0x0000000000400000-0x0000000000457000-memory.dmp
      Filesize

      348KB

      Download
    • memory/4512-151-0x0000000000000000-mapping.dmp
      Download
    • memory/4832-145-0x0000000000000000-mapping.dmp
      Download